Intel warns of a new leak in Core processors that gives information
Intel has warned of a new vulnerability in its Core processors dealing with speculative execution such as Meltdown. The leak, which is classified as ‘medium’ by the chipmaker, discloses information between processes.
Intel has published a brief warning in which it thanked researchers from Amazon, Cyberus and Sysgo for reporting the leak. Also thanks the developer Colin Percival, who on Twitter reveals more details about the leak with characteristic CVE-2018-3665. The leak has to do with a technique known as ‘lazy fp state restore’. Percival explains that an attacker can use the leak to extract data from the register memory of a processor, or more specifically the floating point unit . He calls the example of encryption keys. For that the attacker must be able to execute code on the same CPU as the target.
He further states that it is possible to carry out the attack from a browser, but that abuse of the leak is a lot more difficult than at Meltdown. It would have taken Percival about five hours to write an exploit after attending a presentation on the subject. Several organizations have published advisories including Microsoft. The company writes that the ‘lazy restore’ technique is activated in Windows by default and can not be switched off. However, it does not provide information about affected Windows versions and states that it is still with information about it. Users of vm’s in Azure are not affected.
The Intel warning states that the use of ‘eager fp state restore’ prevents misuse of the leak. The Register notes that this technique since 2016 or version 4.9, is used in the Linux kernel, so that recent kernels are not vulnerable. Amazon says in an advisory that his AWS service has not been taken. Systems that run Xen have been affected but patches are available. Red Hat is also working on patches for RHEL 6 and lower .
Cyberus, one of the companies involved in reporting the leak, writes that it was actually the intention ] to announce the details only in August, but that information had already been published earlier. ZDNet, who spoke with Jon Masters of Red Hat, writes that no microcode patches from Intel are needed to close the leak. Masters states that the leak is ‘difficult to abuse and easy to seal’. There are no indications that Arm or AMD has been affected.
He further states that it is possible to carry out the attack from a browser, but that abuse of the leak is a lot more difficult than at Meltdown. It would have taken Percival about five hours to write an exploit after attending a presentation on the subject. Several organizations have published advisories including Microsoft. The company writes that the ‘lazy restore’ technique is activated in Windows by default and can not be switched off. However, it does not provide information about affected Windows versions and states that it is still with information about it. Users of vm’s in Azure are not affected.
The Intel warning states that the use of ‘eager fp state restore’ prevents misuse of the leak. The Register notes that this technique since 2016 or version 4.9, is used in the Linux kernel, so that recent kernels are not vulnerable. Amazon says in an advisory that his AWS service has not been taken. Systems that run Xen have been affected but patches are available. Red Hat is also working on patches for RHEL 6 and lower .
Cyberus, one of the companies involved in reporting the leak, writes that it was actually the intention ] to announce the details only in August, but that information had already been published earlier. ZDNet, who spoke with Jon Masters of Red Hat, writes that no microcode patches from Intel are needed to close the leak. Masters states that the leak is ‘difficult to abuse and easy to seal’. There are no indications that Arm or AMD has been affected.